Modelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks on their SCADA Rome, 16 th December 2014
Modelling versus remote hybrid test bed
E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca
Efficiency of electrical grids under cyber attacks on their SCADA Rome, 16th December 2014
Summary
Brief introduction of SCADA
Common security problems of SCADA
Typical attacks on SCADA devices
Modelling limits
Towards test bed : Enea test bed
Cyber attacks on a SCADA subset
Effects of attacks on SCADA devices
2
SCADA system architecture
SCADA (Supervisory Control And Data Acquisition)
systems are designed to:
Collect field information by means local processor
(PLC/ RTU);
Transfer the information to a central computer (SCADA
Control Server);
Display the information to the operator graphically or
textually (HMI);
Allow the operator to monitor and control an entire
system from a central location in real time.
All the components of the SCADA systems are
connected by:
Serial Line, Ethernet, Wi-fi with Modbus, DNP3, OPC
protocols 3
Corporate network & SCADA
4
SCADA System
Local Processors:
PLC/RTU
Local Processors: PLC/RTU
Centralized Control: HMI+SCADA Control Server
Cyber security on SCADA system (1/3)
In the past years, SCADA systems operated in closed and
proprietary networks. For instance, Modbus, a common SCADA
protocol, was originally designed for use only within simple
process control networks to enable low speed serial
communications between clients and servers
In recent years, the rapid development of Information
Communication Technology (ICT) has carry out to full integration
of telecommunication networks over IP protocol (e.g. Modbus
on TCP/IP)
In this new scenario SCADA system is not isolated but it is
exposed to a series of attacks due to its insecure design
5
Cyber security on SCADA system (2/3)
Common problems on SCADA system
Lack of Authentication
None AUTH or simple with default login/password (e.g. user/user)
A lot of open service with anonymous access or simple account (e.g. FTP service)
No encryption used: all protocols are clear test
SCADA systems are vulnerable to cyber attacks on the different layers:
Host level (e.g. Software vulnerability of OS and Applications)
Network level (e.g. Modbus does not have any security features like Authentication and Encryption)
6
Cyber attacks on SCADA system (3/3)
Host level attacks examples:
Old or not patched Operating Systems and Application are vulnerable to buffer overflow and SQL injection attacks causing:
Corruption of the correct behavior of the program (e.g. incorrect data monitoring or data visualization and so on)
Modifying the database content (e.g. login and password of the administration users, setpoint configuration )
Network level attacks examples:
Denial of Service (DoS): the attacker send a lot of service requests in a short time to the server and so slow down the server resources
Man In The Middle (MITM): the attacker intercepts the traffic between two SCADA devices (e.g. HMI and SCADA Control Center or SCADA Control Center and PLC), which believed to exchange information with the legitimate interlocutor, but indeed the attacker may sniff the information and/or send false messages (e.g. sniffing SCADA login/password, view or modifying command or data monitoring)
Consequences of attacks:
Loss of / fake observability: if the SCADA Control Center can’t receive or receive false packets from PLC
Loss of / fake controllability: if PLC/RTU can’t receive or receive false packets from SCADA Control Center
7
Modelling describes in a simplified way corporate network
and SCADA element state related to cyber security, attack and consequences scenarios, and the impact of incorrect functioning of such elements on quality of service indicators SCADA and of electrical grid.
Modelling assumptions miss to realistically reproduce cyber attacks and their propagation on corporate network and SCADA devices
8
Modelling limits
9
ENEA test bed architecture (1/2)
ENEA test bed is based on a switched LAN
The LAN is configured with a private IP address plan provided by the
IEC for coexistence of IPSEC VPN connection with remote sites
HMI
IP: 172.27.228.10
SCADA Control Server
IP: 172.27.228.3
Attacker
IP: 172.27.228.9
NIDS
IP: 172.27.228.11
VPN gateway provided
by Virtual Machine
IP: 172.27.228.1
IEC
PLC
IP: 172.27.228.102
IP: 172.27.228.103
LAN 172.27.228.0/24 provided by IEC
10
ENEA test bed architecture (2/2)
ENEA test bed is costituted by :
• Human Machine Interface (HMI)
• SCADA Control Server
• Programmable Logic Controller (PLC)
• Attacker
• Network Intrusion Detection System (NIDS)
HMI
IP: 172.27.228.10
SCADA Control Server
IP: 172.27.228.3
Attacker
IP: 172.27.228.9
NIDS
IP: 172.27.228.11
VPN gateway provided
by Virtual Machine
IP: 172.27.228.1
IEC
LAN 172.27.228.0/24 provided by IEC
PLC
IP: 172.27.228.102
IP: 172.27.228.103
PLC: hardware architecture
11
Modicon M340 PLC hardware architecture:
1. Rack with 4 slot
2. Power supply
3. Processor with USB and Ethernet interface (BMX P34 CPU B)
4. Discrete I/O module
5. Ethernet RTU Module (BMX NOR 0200H)
How to manage Modicon M340 PLC?
Remote diagnostic and monitoring via built-in WEB server and SCADA system
Remote programming and downloading of control program with Unity Pro software
Downloading configuration file via FTP protocol via built-in FTP server on the Ethernet RTU Module (BMX NOR 0200H)
13
PLC: configuration and remote management
HMI
SCADA Control Server Unity Pro
PLC
LAN 172.27.228.0/24 provided by IEC
14
PLC: remote web management
Cyber attacks strategy
To conduct an attack on SCADA system:
It is useful to make a Information Gathering:
Need to find information about the architecture of SCADA system and its components: IP address, MAC address, open services, software versions
This research is typically achieved through tools such as Nmap, Ettercap, SNMPcheck, Wireshark
Based on the results obtained from the previous operation you choose the best strategy of attack
Very often one does not even need a sophisticated attack but simply exploits badly made configurations or configurations left with default parameters
15
First step, before to define the kind of the cyber attack to implement, we need to perform an information gathering
Using Nmap tool by means of Kali Linux on the attacker machine, we have conducted information gathering and vulnerability assessment on ENEA test bed
In particular, a depth scan was carry out on PLC, with default configuration, to discover potential vulnerabilities
By means of Nmap scan, we have discovered some PLC enabled services to analyze in depth:
HTTP service
SNMPv1 service
FTP service
16
Information Gathering (1/2)
HMI
IP: 172.27.228.10
SCADA Control Server
IP: 172.27.228.3
Attacker
IP: 172.27.228.9
NIDS
IP: 172.27.228.11
PLC
IP: 172.27.228.102
IP:172.27.228.103
LAN 172.27.228.0/24 provided by IEC
17
Information Gathering (2/2)
18
SNMP service: in-depth analysis (1/4)
The SNMP (Simple Network Management Protocol) is
used for network management
The community string ‘read only’, configured in the PLC
device, is ‘public’ so it is easy to get any information on
the PLC with a generic SNMP tool
The knowledge of the community string ‘write’,
configured in the PLC device, allows to modify the PLC
configuration
No encryption of the data exchange and no
authentication with user and password in SNMP v1
19
Using the tool SNMPcheck with ‘-w’ option has been
verified that the SNMP service on the PLC has the
community string ‘write’ defined public
The write community string defined as public exposes
the device to potential configuration changes by
attackers
SNMP service: in-depth analysis (2/4)
20
After discovering that a device is listening on UDP port
161, an SNMP enumeration tool, like SNMPwalk, can be
used to extract information from the device.
SNMP service: in-depth analysis (3/4)
21
In information gathering campaign, we have discovered
that the PLC has the community string write defined
public so it is very simple to enforce the change of
parameters
Using SNMPset tool, we may change via SNMP some
device parameters (e.g. system name, IP address and
so on)
SNMP service: in-depth analysis (4/4)
22
Syn Flood attack (1/2)
Syn Flood is a DoS attack
Attacker sends a lot of SYN requests to the target
machine (in this case PLC) but it does not return the
ACK. The target machine could exhaust all its memory
resources only for waiting for a response that will never
happen
Switch
HMI IP:172.27.228.10
Attacker IP: 172.27.228.9
PLC
IP: 172.27.228.102
IP: 172.27.228.103
23
Syn Flood attack (2/2)
Syn Flood attack has been carry out by means of Kali Linux using
‘hping3’ tool
Switch
HMI IP:172.27.228.10
Attacker IP: 172.27.228.9
PLC
IP: 172.27.228.102
IP: 172.27.228.103
24
Syn Flood attack: Effects
The Syn Flood attack causes a slowdown of PLC responses or
distruction of network traffic between PLC and management stations
(like SCADA Control Server and configuration software machine)
Communication Error: Unable to retrieve status of the PLC: unexpected disconnection possible. Select Connect to establish the connection. Select Cancel to return to the offline mode
Connect Cancel
Invalid PLC IP address or PLC is busy or support disabled
25
DoS attacks consequences on SCADA system
Consequences on SCADA system:
Loss of controllability: if PLC/RTU can’t receive
packets from SCADA Control Server
Loss of observability: if the SCADA Control Server
can’t receive packets from PLC/RTU
MITM attack by means Ettercap
To perform MITM attack in the switched network LAN, we have used Ettercap, supplied by Kali Linux distribution
Ettercap is a network manipulation tool used to perform several kinds of attacks
Password sniffing for many network protocols
Characters injection
Packet filtering and others
26
Switch
HMI IP:172.27.228.10
MAC:00-50-8b-ac-09-7c
Attacker IP:172.27.228.9
MAC: 00-14-5e-1e-1d-5e
PLC
IP:172.27.228.103
MAC:00-80-f4-11-5d-68
MITM attack against an FTP session (1/3)
Attacker, using Ettercap, captures all traffic going from HMI to
PLC
Ettercap poisons the ARP cache on each machine and all
Ethernet traffic is intercepted
Ettercap automatically extracts the login and password from any
active connection
27
Switch
HMI IP:172.27.228.10
MAC: 00-50-8b-ac-09-7c
Attacker IP: 172.27.228.9
MAC: 00-14-5e-1e-1d-5e
PLC
IP: 172.27.228.103
MAC: 00-80-f4-11-5d-68
MITM attack against an FTP session (2/3)
HMI starts an FTP session to PLC and logs in
28
Switch
HMI IP:172.27.228.10
MAC: 00-50-8b-ac-09-7c
Attacker IP: 172.27.228.9
MAC: 00-14-5e-1e-1d-5e
PLC
IP: 172.27.228.103
MAC: 00-80-f4-11-5d-68
MITM attack against an FTP session (3/3)
Ettercap shows us the login and password that are sent
in clear text in the FTP session
29
30
MITM attacks consequences on SCADA system
Consequences on SCADA system:
Fake controllability: PLC/RTU receives fake packets
from SCADA Control Server
Fake observability: SCADA Control Server receives
fake packets from PLC/RTU
Thank you for your attention